Hacked iTunes Store Accounts: Apple's Problem That Won't Go Away

Below:

Next story in Security

Apple's iTunes Store is a fantastic success, with billions of
songs and apps sold and, as Steve Jobs said in March, more than
200 million registered accounts.

What Jobs and Apple don't like to see publicized is the fact that
hundreds, perhaps thousands of iTunes accounts have been getting
hacked for the better part of a year — and that Apple doesn't
seem to be able to stop it.

On Apple's discussion boards, there are some 27 pages of complaints about account
fraud, with some posts dating back to November.

Craig Williams' case is typical. The Portland, Ore., resident
discovered someone had installed the free "Kingdom Conquest"
role-playing game via his iTunes account, and then bought in-game
items, which can quickly rack up costs.

Williams was paying for his iTunes purchases via PayPal, rather
than with his credit card.

"I'm surprised they stopped at $90 in my PayPal account," he
said.

Most people in the discussion forum reported that Apple had
refunded their money, if reluctantly. But the company has not
said what — if anything — it can or will do to stop the fraud.

Apple has not commented on the issue so far, and calls and emails
to several spokespeople were not returned.

The hacking highlights the problem of balancing security and
convenience, especially considering that Apple has just rolled
out
its iCloud service and hopes to persuade millions of people
to store their data on the Internet. Attacks such as these iTunes
Store hacks do not help to build confidence in such services.

"I was intrigued about the iCloud service, but who knows now,"
said a Washington, D.C.-based attorney who spoke on the condition
of anonymity. "With what has recently happened, I am going to
feel better about having all my 'stuff' on my computer where I
feel like I have some semblance of control over it."

The attorney lost $23 after he redeemed a gift card on iTunes and
a hacker bought in-game items for multiple copies of "Kingdom
Conquest."

One password to rule them all

One aspect of the iTunes/App Store systems is that a single
username and its associated password — the Apple ID — accesses
not only the iTunes Store, but also a user's MobileMe accounts,
iChat, Ping and FaceTime. It also logs him into Apple's
discussion boards.

Anyone who gets another user's Apple ID and password has access
to every account connected to that user's devices — iPhone and
iPad included.

The methods used to take over an iTunes account are probably
relatively simple, security experts said. A malicious developer
could write a perfectly innocent-seeming app that asks for a
user's Apple ID and password and then sends them to someone else.

Apple tests each app it sells or gives away in the App Store for
functionality and suspicious behavior, but it does not examine
the code. Rogue apps, such as some that secretly allow laptops to
use the phone's cellular data connection, have sneaked through.

An attacker could also use a fraudulent website or email address
to obtain the passwords to the account and buy an app (which may
in itself be perfectly harmless), funneling money to the hacker.

It's also possible for hackers to install keylogging software on
users' PCs that capture passwords as they're typed in, or to use
a "brute force" attack to guess passwords. (The fact that some
users in the discussion forum reported being temporarily locked
out of their accounts indicates the latter was happening.)

Breach not at system level

The hackers do not seem to have accessed the servers Apple uses
to store credit-card data and other user information, said David
Scheutz, a consultant at the Intrepidus Group, a New York company
that provides advice on network security.

The thefts have been for relatively small amounts, usually less
than $100. They also have been spread out over time.

In the massive breach into Sony's PlayStation Network servers in
April, 102 million records were compromised in the space of a few
days. The number of users hit in the latest iTunes scams might
number in the tens of thousands at most — even assuming only a
small percentage of hacked users are willing to vent on the
discussion boards.

The fraud is unlikely to make a difference in Apple's results for
the quarter (which ends this month).

"It would have to be a lot more credit card numbers compromised,"
said Kevin Dede, an analyst at Brigantine Advisors in New York.

Apple said it beefed up security last year after just such a
fraud case. A Vietnamese developer hacked some 400 iTunes
accounts in order to use their credit card details to boost sales
of his comic book apps. Apple banned the developer and gave users
the power to limit in-app purchases.

For example, some banks ask clients to log in with "virtual
keyboards," on-screen keyboards in which keys are "tapped" using
mouse clicks. That would stop keyloggers.

Khera also suggested Apple could check apps to see if they
request passwords and send data. An automated system could see
which of the hundreds of thousands of existing apps request
passwords. Out of those, humans could determine if any transmit
them. (Google's Android Store notifies users of such app
permissions during the installation process.)

Khera said that while Apple can't vet every developer, there are
methods of checking to see if purchases are questionable. Credit
card companies watch for odd patterns of purchases, and often
call customers if they suspect anything. Apple could do something
similar, given the massive amount of customer data it has.

Scheutz agreed, though he said the algorithm for fraud detection
would have to be more sophisticated because iTunes purchases will
all look the same.

But until Apple installs such a system, both Khera and Scheutz
noted the only thing most users can do is to change their
passwords often, to not leave credit card information on the
system and to use strong passwords that aren't used to log into
other online accounts.

Scheutz said iTunes Store hacking isn't likely to stop, given how
popular iTunes has become. New viruses and password-stealing
malware are in a constant arms race with anti-virus software,
with the malware writers often several steps ahead.